From 3e4469bb298749487c87dd4d40bcc6c4eaf1c9a0 Mon Sep 17 00:00:00 2001
From: Lexi Winter <lexi@le-fay.org>
Date: Tue, 10 Jun 2025 14:28:28 +0100
Subject: always make 18.198.in-addr.arpa insecure

---
 unbound.conf.erb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'unbound.conf.erb')

diff --git a/unbound.conf.erb b/unbound.conf.erb
index 4755c83..1490c41 100644
--- a/unbound.conf.erb
+++ b/unbound.conf.erb
@@ -96,6 +96,11 @@ server:
 <%   end -%>
 <% end -%>
 
+# Zones which are always insecure, because they don't exist on the Internet.
+<% insecure_zones.split.each do |zone| -%>
+	domain-insecure: <%= zone %>
+<% end -%>
+
 # DN42 zones.  These don't need to be private, but should be insecure for now.
 # Ideally we'd have a way to validate these properly.
 <% dn42_zones.split.each do |zone| %>
-- 
cgit v1.2.3